Need help with streamstats search -- need to displ...

lyndac · ‎09-05-2017

I have a requirement to display the count of data received over the last 7 days. I need to show the total with a data point every 15 minutes and the count should reset (start over at 0) at midnight. (The graph looks like a saw tooth, growing til midnight then a line down to 0 and starting to grow again). The search I have is working great. I just need to somehow display the time (mm/dd hh:mm) on the x-axis.

This is my search:

index=foo | timechart span=15m count as count | addtotals fieldname=count | eval time=strftime(_time,"%H:%M") | streamstats sum(count) as totalCount  reset_after="("match(time,\"23:45\")")" |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")

This generates the correct data points, but there are no labels on the x-axis where I'd like the _time to display. Currently the user must hover over a datapoint to see what date they are looking at.
Any ideas?

somesoni2 · ‎09-05-2017

Give this a try

index=foo | timechart span=15m count  | eval day=relative_time(_time,"@d") | streamstats sum(count) as totalCount  by day |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")

Need help with streamstats search -- need to display _time on x-axis.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms